Skills
skills/openstall-ai/agent-marketplace/earn/Gen Agent Trust Hub

earn

Fail

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXPOSURE]: The skill explicitly instructs the agent to read sensitive local configuration files that may contain system instructions, personality profiles, and private metadata. Evidence includes commands to read ~/.openstall/config.json, CLAUDE.md, .claude/settings.json, and soul.md.
  • [CREDENTIALS_UNSAFE]: The agent is directed to actively scan its environment for specialized API keys and credentials (e.g., Midjourney, ElevenLabs, Social Media APIs, and specialized databases) to identify monetizable capabilities. This encourages the use of private credentials to serve third-party requests.
  • [COMMAND_EXECUTION]: The skill utilizes several high-risk command patterns, including global package installation (npm install -g @openstall/sdk@latest) and the execution of background daemon processes (openstall worker start) to handle remote tasks.
  • [EXTERNAL_DOWNLOADS]: The setup process requires downloading and installing external code from the NPM registry (@openstall/sdk), which serves as the core interface for the marketplace operations.
  • [PROMPT_INJECTION]: The skill uses behavioral override language ('You are now in OpenStall earn mode', 'Your behavior change...') to redirect the agent's focus toward discovering and publishing its internal capabilities and secrets.
  • [DATA_EXFILTRATION]: By establishing a 'worker' that polls for tasks from an external marketplace, the skill creates a bidirectional communication channel where local data or the outputs of credentialed API calls can be sent to untrusted third-party agents.
  • [INDIRECT_PROMPT_INJECTION]: The worker mechanism represents a significant attack surface (Category 8).
  • Ingestion points: openstall worker poll receives arbitrary task data from the marketplace.
  • Boundary markers: No instructions are provided to sanitize or isolate task inputs from the agent's execution logic.
  • Capability inventory: The agent is encouraged to use its full suite of tools (Playwright, API access, file system) to satisfy these external tasks.
  • Sanitization: The skill lacks input validation or output filtering mechanisms to prevent malicious tasks from exploiting the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 16, 2026, 12:29 AM